Assessment & Audit

Regular assessments and audits are critical to the success of any Corporate Information Security Program.  In the process of conducting business, it is reasonable to expect that technology based and process based vulnerabilities, as well as regulatory compliance issues, will emerge even in the presence of effective security technologies and processes.  A properly executed Information Security Audit is critical to identifying such vulnerabilities and compliance issues and defining an effective process to deal with them.

Policy Gap Analysis
The Corporate Information Security Policy defines the foundation for the technical and procedural measures taken to ensure the privacy, availability, and integrity of your company’s digitally stored and transmitted information.  As a part of the STIGroup audit process existing information security policies are reviewed to ensure that policies are appropriate for achieving the goals of the Corporate Information Security Program.  Specific attention is given to applicable regulations and standards pertaining to information security (PCI, CFAT, FISMA, FDIC, GLBA, HIPAA, etc.) and whether or not the existing policies are consistent with the applicable regulations and standards.

Vulnerability and Penetration Testing
Vulnerabilities may be present in Infrastructure or hosts due to hardware or software flaws, issues inherent to implementation, design flaws, and/or configuration errors.  The STIGroup audit process includes automated and manual tests geared towards identifying such vulnerabilities, the potential paths of exploit for the vulnerabilities identified, and the associated business risks.  This process includes internal networks and systems, as well as areas of intersection with public networks and other external entities.

Process Review
Information security measures in any business are accomplished through some combination of technology and process.  The STIGroup security audit process includes procedures to ensure your information security is reviewed for appropriateness and effectiveness towards the Corporate Information Security Program goals.  This process includes staff interviews, detailed reviews of procedural audit trails, and the division of responsible personnel.

Policy and Regulatory Compliance Review
Since the Corporate Information Security Policy is the foundation for the success of the information security program, assurance measures must be in place to ensure the technology implementations and associated processes stay in compliance.  An appropriate security audit is a critical component of this assurance process.  As a part of the STIGroup audit process, a detailed assessment is done to validate compliance with the Corporate Information Security Policy, to include the elements of applicable regulations and standards not specifically included in the policy.

Assessment and Audit Deliverables
A key benefit of an STIGroup Information Security Audit is the structure and content of the deliverables.  STIGroup provides the data concerning the vulnerabilities and policy violations identified, as well as a prioritized strategy with budgetary and timeline considerations for remediation.  Management response is solicited and included in the final report to validate management “buy in” and commitment to the resolution strategy.  Audit deliverables structured in this manner are critical for an effective strategy for technology and personnel to achieve the information security goals.

Tactical Assessment and Audit Services
In addition to a comprehensive security audit, STIGroup offers the following tactical services, all of which can be executed independently or as a part of a larger audit strategy:

  • External and Internal Penetration Testing
  • Social Engineering
  • VOIP Vulnerability Assessment
  • System Configuration Audit
  • Application Vulnerability Assessment
  • Wireless Vulnerability Assessment
  • Policy and Procedure Audit
  • Regulatory Compliance Audit
  • Data Leakage Assessment
  • Incident Response Assessment

These tactical services can be selectively employed to fill a gap in the Corporate Information Security or to structure a custom, comprehensive, ongoing security audit service for your business.